ACL plugin not working in db-less mode

Hi All,

I created a key auth plugin with two consumers and two auth keys. I can access the API with these two keys without any issue. Then I created two ACL plugins as belows.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: acl-wl-test-sp
config:
  whitelist:
  - test-sp
  hide_groups_header: true
plugin: acl
" | oc apply -f -

echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: acl-bl-test-sp
config:
  blacklist:
  - test-sp
  hide_groups_header: true
plugin: acl
" | oc apply -f -

When I add this acl-wl-test-sp plugin to my API service, I cannot access API with any of the keys from test-sp or test-sp2.

HTTP code : 403Forbidden
{
    "message": "You cannot consume this service"
}

When I remove the above and add acl-bl-test-sp plugin to my API service, I can access the API with any of the keys of test-sp and test-sp2. This is the not the expected behavior of this plugin.

oc patch service proxy-from-k8s-to-ext -p '{"metadata":{"annotations":{"konghq.com/plugins":"acl-wl-test-sp"}}}'
oc patch service proxy-from-k8s-to-ext -p '{"metadata":{"annotations":{"konghq.com/plugins":"acl-bl-test-sp"}}}'

Appreciate your input.

Thanks!

Did you add the consumers to the ACL group?

@hbagdi,
‘test-sp’ added to the ACL plugin is a consumer created for an auth keys

Have a look at this guide to understand how ACL works:

1 Like

© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ